A. N. Ananth, CEO, Prism Microsystems, Inc.

Stephen Northcutt - August 7th, 2009

A.N. Ananth, CEO of Prism Microsystems, Inc. was one of the original architects of the EventTracker product offering, Prism’s enterprise log management solution. We certainly thank him for his time to be interviewed for our Securitylab Thought Leader series.

Ananth, I know you have an extensive background in product
development and operations for telecom network management. I also
understand you have field experience consulting for companies on their
compliance strategy, audit policy and automated reporting processes.
What are the two or three biggest pain points you typically find?

In 2009, we find much greater acceptance by organizations about the
need to "do something" about IT security and even about SIEM/Log
Management. There is, however, rampant confusion about exactly what
needs to be done and in what order. Enterprises clamour for specificity
but, sadly, most regulatory guidelines are quite vague, leading to
delay or paralysis in execution. Usually an episode such as a security
breach or audit failure focuses senior management very quickly. The
biggest pain points, therefore, are 1) Actionable plan to address IT
security, and 2) How to prioritize the execution given real-world
budget and staff constraints. Recommendations like CAG are helpful in
this regard.

My understanding is that you co-founded Prism, can you tell me
a bit about your work experience that got you to the place you are now?

I come from a background of telecom product development and network
management. In that universe, considerable emphasis is placed on Fault
Management, the network having extremely high uptime requirements (four
9s is routine). The shift in the data center from a few minis like VAX
or IBM to many smaller servers like Intel or SPARC was clear, but the
corresponding disappearance of the "operator" was confounding -- who
replaced those functions? Some problems have almost disappeared, such
as chargeback, but many remain, such as upgrades, log management, etc.
It turns out, in many of the mid-size organizations these issues are
ignored as much as possible and, to this day, it’s a problem.
It’s the difference between a NOC mindset and an IT mindset. We
developed the initial versions of our products to resolve these
problems and formed the company to commercialize and support these
solutions.

I agree with you, people tend to ignore their logs, but in this
busy world you have to establish priorities. Why is log management a
priority? What will happen to me if I don’t look at my logs? Who
will even know?

While log data is useful in myriad ways, we classify uses broadly into
three groups, viz Operations, Security and Compliance. Let’s look
at each with an example. Operations is both the most common and the
most overlooked: Not paying attention to logs can cost you BIG money,
when your disk space goes low, when an admin inadvertently changes
virtual machine configuration, when a backup job fails but goes
unnoticed, etc. Security use cases get the most press and range from
being owned and not knowing it, to loss of Intellectual Property, which
when made public causes a loss of confidence. In the Compliance use
case, the auditor will certainly know, and if they are doing their job,
your senior management will hear about it. In these difficult economic
times log management should be a priority because: a) It can save you
serious money in Operations; b) Security is everyone's concern, more so
if you are having employee churn; and, c) Compliance regulations are
here to stay, for good reason.

Many of our readers may not be familiar with EventTracker, can you give us the $.25 tour?

EventTracker is a Security Information and Event Management solution
that combines classic Log Management functions such as real-time
processing, correlation and alerts with positive security features such
as whitelisting, file integrity monitoring and compliance/assessment
features.

We have relentlessly focused on the medium enterprise since 2001 and
are currently shipping version 6 of the product. Our strong background
in the operation of mission critical networks serves us especially well
in understanding and addressing the problem.

You mention a focus on the mid-size enterprise. What is unique about this market?

All enterprises are ever more dependent on their IT but mid-size
enterprises have it particularly hard. The corner hardware store gets
to put up a "Gone Fishing" sign if the computer acts up while waiting
for resolution, the F-500 giant gets to outsource the problem to a
dedicated team. Neither is true for our customer base. Plus nobody is
loosening the regulatory guidelines based on size, nor are hackers
cutting them a break. Add in budget constraints and vagueness in
regulations and it gets pretty hard.

Our customers prefer strong robust features but demand quick install
and ROI and low on-going TCO. As an analogy, a Formula-1 race car is
great to own and goes really fast in the straights but unless you are
driving at the Circuit de Monaco and have a dedicated pit crew,
it’s more trouble than its worth. Some of the products in the
SIEM space are comparable to such race cars, whereas EventTracker is
more like a high performing sedan, much easier to own and operate, and
applies to a large variety of daily use cases.

In general, the biggest factor in the Total Cost of Ownership
or TCO for a log management solution is the time an operator has to
spend on the console identifying the actionable items and running them
to ground. What are some ways that EventTracker’s design helps
reduce TCO?

Great question. Looking at logs gets old even for logaholics and time
is always a scarce resource for Admins. In broad terms, we recommend
that users: a) Configure alerts for well defined cases; b) Examine
specific summary and trend reports driven by business priority (users,
systems, applications); and, c) Go to detailed analysis only as needed.
An ounce of prevention being worth a pound of cure, as the saying goes.

To elaborate further, never mind the logs, think top down – what
are the business scenarios of interest? Privileged use? USB activity?
Intrusion attempts? Compliance workflow? They can be single events or
require multi-event correlation. These are the conditions that you know
and can define. EventTracker offers a correlation engine and various
alert notification methods to help. We also ship a broad set of
Knowledge Packs which include rules for popular applications and
platforms.

Next, configure summary and trend reports on assets and users that are
important. Examine these regularly for outliers – these are the
conditions that you will know if you see them. EventTracker offers
various summary and trend reports including modules to detect unusual
activity. If needed, analyze log files to address specific questions.
EventTracker includes an excellent analysis console and a powerful
search interface for this purpose.

Since you have been working in this space for many years, how do you think SIEM evolved and what future trends do you see?

Think back to the IBM System/360 announced in 1964, it emitted logs
which the operator had to examine to know about its health and job
status. Fast forward to VMware and Windows 2008, these also emit logs
to inform Administrators about their health and status. In the five
decades in between, almost nothing about computing has remained
unchanged -- CPUs, memory, sizes, programming languages, user
interfaces, etc. However, logs are still essentially used for the same
purpose as nearly 50 years ago; many more logs from more sources in
different formats with ever increasing obscurity and in enormous
volume, same reason. This shows that the problem is a basic one that
must be addressed by every generation of computing.

Some trends:

The data center is being transformed by virtualization in almost
all industries. Hypervisors such as VMware and Hyper-V are increasingly
common and these bring their own set of challenges to SIEM. As a
software-only solution with deep support for such technologies,
EventTracker is particular well suited for these datacenters.

Uncertain economic times in many verticals are leading to
tactical deployments of SIEM solutions. CIOs are demanding meaningful
business cases to justify spend and often constraining the
purchase/rollout to maximize ROI. Here again, with our pricing being
per managed node, highly granular buys and upgrades are easy.

Looking forward, our industry must resolve the "shallow root" problem.
SIEM solutions are currently deployed by IT Departments for their
internal needs (usually security, compliance and operations). To more
fully realize the potential of this technology, SIEM must provide value
to more touch-points across the business process.

I am not familiar with the term “shallow root”, can you please elaborate on what this is and why it is a problem?

As long as SIEM solutions are useful only to a few people in the
enterprise i.e., a subset of the IT Department, then the technology has
“shallow roots” within the enterprise and its potential is
not being fully realized. SIEM can be valuable across the enterprise,
especially to data owners (usually middle management). IT is normally
the curator of the systems where data resides, whereas the true owners
of data can and should receive value from SIEM technology. For example,
a sales manager whose team generates quotes and receives Purchase
Orders is much more likely to recognize suspicious behavior if shown
audit logs (who accessed, when, who added/deleted or copied to USB)
than the IT Department, who can only go by well defined rules on
acceptable behavior.

Without this, SIEM is relegated to the role of a specialized tool
delivering limited value to a small set of users. The technology can
and should be asked to do a lot more across the business process.
Innovations like mashups, web services, and web slices are potentially
useful in this regard.

The buzz today is about Cloud Computing, what implications do you see for IT security in general and SIEM in particular?

Cloud Computing is a tradeoff between efficiency and sovereignty. It is
now an over hyped term. We see variations such as on-premise clouds,
dedicated remote clouds, shared business class clouds and consumer
clouds, each offering different levels of service at different price
points.

We see the mid-size enterprise of tomorrow using a mix of a form of
cloud computing, SaaS and dedicated on-premise infrastructure, in
accordance with cost/security drivers.

Cloud computing represents an opportunity to build security from the
beginning instead of making it a bolt-on later. It remains to be seen
if this will be so, we hope past is not prologue (as is carved on the
National Archives Building in Washington, D.C). SIEM must adapt to this
universe to be relevant. This means many things including
multi-tenancy; the ability to forward some SIM information to the
platform provider (e.g., ISP) but other data from the same machine to
the end-user/customer; ideally, standards for SaaS providers, but in
their absence, broad support for the popular players.

One of the traditions of the Thought Leader project is to offer
a bully pulpit, a chance to share what is on your mind, what would you
like to share with our readers?

Demand more from your SIEM solution. The technology has the potential
to be useful in multiple ways. Remember, the bad guys depend on the
fact that if you do collect this information, usage is limited to
compliance.

I have seen your blog and it is one of the most educational and useful
resources related to logging I have ever seen. Do you have any war
stories where a logging system has been used to catch an internal or
external criminal? I know some stories from health care where employees
were looking at medical records they should not have such as Britney
Spears and George Clooney. I also understand the IRS does something
similar with respect to tax records, but you are closer to this area,
what are one or two of your favorite log management stories?

Thanks for the kind words on the blog, it’s quite a bit of work. Here are my favorites:

A financial institution let a Sys Admin go on a Friday. Naturally, this
person’s account was disabled in Active Directory. Late Friday
evening, an existing account was used to access payroll data, which it
was not authorized to access. EventTracker was configured for remedial
action (disable the account in AD) and notification (e-mail the admin
group). Analysis showed the account came through the VPN and was traced
to the cable modem at the ex-employees home.

At a local government agency, an employee was dismissed and one reason
was repeated violation of Internet use policy. The employee sued for
wrongful dismissal. EventTracker was being used to get logs off the
originating system and saved in a central, secure repository. The court
found that given the archive method used by EventTracker (SHA-1
signed), it was not reasonable that the logs could be faked in an
attempt to discredit the employee and that the employer had exercised
due care in protecting the logs from tampering.

Another interesting story is of a dairy cooperative in Western Canada
that actually uses EventTracker to monitor a cow milking application
which is critical to their operation.

Can you tell us something about yourself? What do you like to do when you are not behind a computer?

As our kids are quite young (one is still in diapers), I spend a lot of
my free time looking at the world through their eyes and find it very
enjoyable. In an alternate reality, I beat Ken Jennings in Final
Jeopardy!